Class AbstractDelegationTokenBinding
- java.lang.Object
-
- org.apache.hadoop.service.AbstractService
-
- com.google.cloud.hadoop.fs.gcs.auth.AbstractDelegationTokenBinding
-
- All Implemented Interfaces:
Closeable
,AutoCloseable
,org.apache.hadoop.service.Service
public abstract class AbstractDelegationTokenBinding extends org.apache.hadoop.service.AbstractService
Binds file system with service and access token provider
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected class
AbstractDelegationTokenBinding.TokenSecretManager
The secret manager always uses the same secret; the factory for new identifiers is that of the token manager.
-
Field Summary
Fields Modifier and Type Field Description protected org.apache.hadoop.security.token.SecretManager<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
secretManager
-
Constructor Summary
Constructors Modifier Constructor Description protected
AbstractDelegationTokenBinding(String name, org.apache.hadoop.io.Text kind)
protected
AbstractDelegationTokenBinding(org.apache.hadoop.io.Text kind)
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description void
bindToFileSystem(GoogleHadoopFileSystem fileSystem, org.apache.hadoop.io.Text service)
Bind to the filesystem.abstract AccessTokenProvider
bindToTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier retrievedIdentifier)
Bind to the token identifier, returning the credentials providers to use for the owner to talk to GCP services.protected <T extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
TconvertTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier identifier, Class<T> expectedClass)
Verify that a token identifier is of a specific class.org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier>
createDelegationToken(String renewer, DelegationTokenStatistics stats)
Create a delegation token for the user.abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier
createEmptyIdentifier()
Create a new "empty" token identifier.abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier
createTokenIdentifier()
Create a token identifier with all the information needed to be included in a delegation token.abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier
createTokenIdentifier(org.apache.hadoop.io.Text renewer)
Create a token identifier with all the information needed to be included in a delegation token.abstract AccessTokenProvider
deployUnbonded()
Perform any actions when deploying unbonded, and return a list of credentials providers.GoogleHadoopFileSystem
getFileSystem()
Returns the bound file systemorg.apache.hadoop.io.Text
getKind()
org.apache.hadoop.io.Text
getService()
-
Methods inherited from class org.apache.hadoop.service.AbstractService
close, getBlockers, getConfig, getFailureCause, getFailureState, getLifecycleHistory, getName, getServiceState, getStartTime, init, isInState, noteFailure, putBlocker, registerGlobalListener, registerServiceListener, removeBlocker, serviceInit, serviceStart, serviceStop, setConfig, start, stop, toString, unregisterGlobalListener, unregisterServiceListener, waitForServiceToStop
-
-
-
-
Constructor Detail
-
AbstractDelegationTokenBinding
protected AbstractDelegationTokenBinding(org.apache.hadoop.io.Text kind)
-
AbstractDelegationTokenBinding
protected AbstractDelegationTokenBinding(String name, org.apache.hadoop.io.Text kind)
-
-
Method Detail
-
getKind
public org.apache.hadoop.io.Text getKind()
-
getFileSystem
public GoogleHadoopFileSystem getFileSystem()
Returns the bound file system
-
getService
public org.apache.hadoop.io.Text getService()
-
deployUnbonded
public abstract AccessTokenProvider deployUnbonded() throws IOException
Perform any actions when deploying unbonded, and return a list of credentials providers.- Throws:
IOException
- any failure.
-
bindToTokenIdentifier
public abstract AccessTokenProvider bindToTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier retrievedIdentifier) throws IOException
Bind to the token identifier, returning the credentials providers to use for the owner to talk to GCP services.- Parameters:
retrievedIdentifier
- the unmarshalled data- Returns:
- non-empty list of GCP credentials providers to use for authenticating this client with GCP services.
- Throws:
IOException
- any failure.
-
bindToFileSystem
public void bindToFileSystem(GoogleHadoopFileSystem fileSystem, org.apache.hadoop.io.Text service)
Bind to the filesystem. Subclasses can use this to perform their own binding operations - but they must always call their superclass implementation. This Must be called before callinginit()
.Important: This binding will happen during FileSystem.initialize(); the FS is not live for actual use and will not yet have interacted with GCS services.
- Parameters:
fileSystem
- owning FS.service
- name of the service (i.e. bucket name) for the FS.
-
createDelegationToken
public org.apache.hadoop.security.token.Token<org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> createDelegationToken(String renewer, DelegationTokenStatistics stats) throws IOException
Create a delegation token for the user. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.- Returns:
- the token
- Throws:
IOException
- if one cannot be created
-
createTokenIdentifier
public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier(org.apache.hadoop.io.Text renewer) throws IOException
Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.If
createDelegationToken(java.lang.String, com.google.cloud.hadoop.fs.gcs.DelegationTokenStatistics)
is overridden, this method can be replaced with a stub.- Returns:
- the token data to include in the token identifier.
- Throws:
IOException
- failure creating the token data.
-
createTokenIdentifier
public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createTokenIdentifier() throws IOException
Create a token identifier with all the information needed to be included in a delegation token. This is where session credentials need to be extracted, etc. This will only be called if a new DT is needed, that is: the filesystem has been deployed unbound.If
createDelegationToken(java.lang.String, com.google.cloud.hadoop.fs.gcs.DelegationTokenStatistics)
is overridden, this method can be replaced with a stub.- Returns:
- the token data to include in the token identifier.
- Throws:
IOException
- failure creating the token data.
-
createEmptyIdentifier
public abstract org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier createEmptyIdentifier()
Create a new "empty" token identifier. It is used by the "dummy" SecretManager, which requires a token identifier (even one that's not real) to satisfy the contract.- Returns:
- an empty identifier.
-
convertTokenIdentifier
protected <T extends org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier> T convertTokenIdentifier(org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier identifier, Class<T> expectedClass) throws DelegationTokenIOException
Verify that a token identifier is of a specific class. This will reject subclasses (i.e. it is stricter thaninstanceof
, then cast it to that type.- Parameters:
identifier
- identifier to validateexpectedClass
- class of the expected token identifier.- Throws:
DelegationTokenIOException
- If the wrong class was found.
-
-